Site log-in, HTTPS or HTTP?

Saturday 18th April, 2009

Four months on from Monster‘s big security breach they’re still using plain-text HTTP for logging in, and for changing your password.

While that’s fairly common for lower-risk web apps from cash-strapped start-ups and solo developers, for someone like Monster it seems inappropriate. Monster run sites all over the world, have a clear revenue stream, and they store an awful lot of personal information. Exactly the kind of information that’d be useful to identity thieves.

A few SSL certificates won’t break their bank account unless it was breaking anyway.

It’s got me wondering though. What proportion of sites actually bother with SSL? Sadly the only stats I’ve found on SSL adoption are some vague hints at data from Netcraft (scroll to the bottom). These stats seem to indicate that only 60 out of the “top 1000” sites use SSL, but I’m not sure exactly what criteria they’re using to gather those numbers.

Has anyone got any idea what proportion of sites use HTTPS for login?


Monster security FAIL

Sunday 25th January, 2009

International job site Monster has suffered a serious security breach and an undisclosed portion of its user database is now in criminal hands.

Prompted by Monster’s warning to change your passwords if you use their site, I decided out of curiosity to see if there were any tell-tale signs that they store actual passwords, rather than hashes. Following their instructions, I dutifully changed my password. They didn’t send the original, only a link to change it (which suggests they probably store hashes rather than plain text passwords). The link only worked once, subsequent attempts were blocked, which is good.

Then I found a security hole, which for the sake of responsible disclosure I will not reveal now. I’ve emailed Monster and asked them to get in touch with me to sort the problem out.

[Updated – Monday 26th Jan] On further thought, the barrier to entry on this exploit is so high (man in the middle) and the time pressures are so immediate (lots of people will be changing their passwords right now) that I think it’s right to publish it, and responsible disclosure weighs on my side. It’s pretty simple. Monster’s forgotten password tool transmits your passwords over HTTP, rather than HTTPS.

Whoever developed this obviously thought a little about man-in-the-middle, as the password parameter is ‘obscured’.

Below is the unencrypted new password, visible to anyone between my web browser and Monster’s servers.


{
"encryptedTicket":"ljy1astmbrv25fjoq3kvts2...",
"newPasswrod":"cheese555"
}